Dropbox erects sueball shield with new T&C and privacy legalese

Drops mention of AWS, forbids class actions and makes arbitration compulsory for all

Grumpy with Dropbox? Forget sueing the company, which is trying to keep you from your lawyers with its new Terms of Service document effective as of March 24th, 2014.

Dropbox has been progressively notifying its customers of its new rules over recent days. Your correspondent received an email yesterday, but legal blog Lawyerist received it a few days ago and has noted that the company is trying to head off legal action in interesting ways.

Firstly, Dropbox now insists “We want to address your concerns without needing a formal legal case. Before filing a claim against Dropbox, you agree to try to resolve the dispute informally by contacting dispute-notice@dropbox.com. We'll try to resolve the dispute informally by contacting you via email. If a dispute is not resolved within 15 days of submission, you or Dropbox may bring a formal proceeding.”

In other words don't even think of throwing a sueball until you tell us what you're thinking so we can do everything in our power to cut you off at the pass.

If you send such an email, Dropbox has made arbitration a compulsory next step, unless you opt out by completing this form before April 24th. If you stay opted in, The American Arbitration Association's processes will be used, and “The arbitration will be held in the United States county where you live or work, San Francisco (CA), or any other location we agree to.”

Let's hope you can make it to Reykjavik in case Dropbox decides that's a nice place for arbitration.

If your complaint against Dropbox is shared with others, forget banding together thanks to this clause:

“No Class Actions. You may only resolve disputes with us on an individual basis, and may not bring a claim as a plaintiff or a class member in a class, consolidated, or representative action. Class arbitrations, class actions, private attorney general actions, and consolidation with other arbitrations aren't allowed.”

Your correspondent takes that to mean that if Dropbox deletes every one of its users folders named “Family photos” you'll have to go mano e mano rather than find a nice lawyer willing to virtualise you into a single, larger, lawsuit.

The service has also posted an updated privacy policy that differs markedly in wording from its April 2013 predecessor but on our reading does not suggest the company plans to collect more personal data. Indeed, the new policy outlines a plan to honour Do Not Track requests. “If our systems receive a DNT:1 signal from your browser, we’ll stop using pixels to promote our services on third-party sites accessed via that browser,” according to the company's Cookie-handling advice.

There are a couple of interesting-looking additions to the policy. Here's one:

“If you are not a Dropbox for Business user but interact with a Dropbox for Business user (by, for example, joining a shared folder or accessing stuff shared by that user), members of that organization may be able to view the name, email address and IP address that were associated with your account at the time of that interaction.”

That may give you pause before you download something from a Dropbox for Business account.

There's also an interesting nugget for those who may use Dropbox for personal and work purposes, to wit:

“If you are a Dropbox for Business user, your administrator may have the ability to access and control your Dropbox for Business account. Please refer to your employer's internal policies if you have questions about this.”

One interesting omission in the new privacy policy is Amazon Web Services (AWS). The current privacy policy says “As of the date this policy went into effect, we use Amazon’s S3 storage service to store some of your information (for example, your Files)”. The new privacy policy makes no mention of AWS.

There are still plenty of mentions of service providers in the new policy, and the term “our servers” is used often in both versions. Dropbox's spokesagency assures us that it is still storing your stuff in AWS' S3 bit buckets. Clearly the company's recent $US250m cash injection isn't enough to build data centres that could rival AWS' for reliability or capacity. ®